14 D. Lepri, E. Ábrahám, and P. Cs. Ölveczky – ϕ ′ = true: R, t |=c true for all t by the def<strong>in</strong>ition of |=c. – ϕ ′ = p: S<strong>in</strong>ce all steps between tπ i and tπj are tick steps, the property follows from the tick-<strong>in</strong>variance of p. Assume now that the lemma holds for the subformulae ϕ1 and ϕ2. – ϕ ′ = ¬ϕ1: – ϕ ′ = ϕ1 ∧ ϕ2: – ϕ ′ = E ϕ1 UI ϕ2: R, t π i |=c ¬ϕ1 ⇐⇒ not (R, t π i |=c ϕ1) <strong>in</strong>duction ⇐⇒ not (R, t π j |=c ϕ1) ⇐⇒ R, t π j |=c ¬ϕ1 . R, t π i |=c ϕ1 ∧ ϕ2 ⇐⇒ R, t π i |=c ϕ1 and R, t π i |=c ϕ2 <strong>in</strong>duction ⇐⇒ R, t π j |=c ϕ1 and R, t π j |=c ϕ2 ⇐⇒ R, t π j |=c ϕ1 ∧ ϕ2 . We def<strong>in</strong>e d1 = dπ i −n¯r, d2 = dπ j −dπi and d3 = (n+1)¯r−d π j . Let furthermore πpre denote the prefix of π end<strong>in</strong>g at tπ i and let πpre i denote the tick sequence tπ ri i −→ . . . rj−1 −→ tπ j . Let ml¯r be the lower bound of I. The upper bound of I is either INF or a f<strong>in</strong>ite bound mu¯r. “⇒”: The proof structure is illustrated on Figure 1. Assume that R, t π i |=c E ϕ1 UI ϕ2 holds. Then by def<strong>in</strong>ition there is a path πi ∈ tfPaths T K(t π i ) such that for each time ref<strong>in</strong>ement π′ i ∈ tfPaths T K(t π i ) of πi there is an <strong>in</strong>dex k s.t. d π′ i i k ∈ I, T K, tπ′ k |=c ϕ2, and T K, t π′ i l |=c ϕ1 for all 0 ≤ l < k. Let πi be such a path. Due to time robustness, πi has a time ref<strong>in</strong>ement π ′ i ∈ tfPathsT K(tπ i ) which conta<strong>in</strong>s the state tπj at time po<strong>in</strong>t d2, a state t∗ at time po<strong>in</strong>t7 ml¯r − d1/2 <strong>in</strong> case ml > 0, and a state t∗∗ at time po<strong>in</strong>t ml¯r + d2 (which is tπ j <strong>in</strong> case ml = 0). Note that time robustness assures that the state <strong>in</strong> π ′ i at time po<strong>in</strong>t d2 is tπ j . Let π ′ i be such a path. Let πpre′ i and πj be the prefix resp. suffix of π ′ i end<strong>in</strong>g resp. start<strong>in</strong>g at tπ j at the time po<strong>in</strong>t d2. We show that πj satisfies the conditions for R, tπ j |=c E ϕ1 UI ϕ2. Let π ′ j be a time ref<strong>in</strong>ement of πj. Then the concatenation π ′′ i of πpre′ i π ′ j is a time ref<strong>in</strong>ement of πi. By assumption there is an <strong>in</strong>dex k s.t. d π′′ i k and ∈ I, T K, t π′′ i k |=c ϕ2, and T K, t π′′ i l |=c ϕ1 for all 0 ≤ l < k. Let k be such an <strong>in</strong>dex and let π ′ be the concatenation of πpre and π ′′ i . Remember that ml¯r is the lower bound of I. We dist<strong>in</strong>guish between (i) d π′′ i k ∈ I1 = [ml¯r, ml¯r + d2 + d3) and (ii) d π′′ i k ∈ I2 = I\I1. 7 For <strong>in</strong>tuition we sample the middle po<strong>in</strong>t between ml¯r − d1 and ml¯r. However, any time po<strong>in</strong>t <strong>in</strong> the <strong>in</strong>terval (ml¯r − d1, ml¯r) would fit for our purpose.
π : πi : π ′ i : πj : π ′ j : π ′′ i : π ′ : <strong><strong>Time</strong>d</strong> <strong>CTL</strong> <strong>Model</strong> <strong>Check<strong>in</strong>g</strong> <strong>in</strong> <strong>Real</strong>-<strong>Time</strong> Maude 15 0 ¯r 2¯r 3¯r 4¯r 5¯r t π i t π j n¯r d1 d2 d3 π pre π pre i t π i t π i π pre′ i d2 t π j ml ¯r− d 1 2 t ∗ t π j t ∗ t π j t ∗ t π i t π j t ∗ π pre′ i t π i t π j t ∗ π pre π ′′ i I ml ¯r+d2 Fig. 1: Lemma 1: Proof structure for the “⇒” direction of existentially quantified bounded until I1 πj I π ′ j t ∗∗ t ∗∗ t ∗∗ t ∗∗ t ∗∗ I2 I